TOS 8 tRestClient error with indirectly referenced class after update of adobe cxf-rt-rs, databinding, client jars relating to CVE-2022-46364 vulnerabilities
Please help. How can I update the necessary cxf files and not break all the rest of the code?
We have Talend Open Studio Big Data 8.0.1 on Windows 2016 using tRestClient module to connect to a server. Recently our security group has made me update several jars due to the CVE-2022-46364 vulnerabilities. I have updated CXF-Core, CXF-RT-databinding-jaxb, CXF-RT-RS-client, and CXF-RT-RS-extension-providers to the latest version(s) 4.0.0. However, I now get the error - The type jakarta.ws.rs.ext.MessageBodyWriter cannot be resolved. It is indirectly referenced from required .class files. After doing some searching I replaced the jakarta.ws.rs.api with version 3.1.0 (was 2.1.0) and still have this error. In the code the errors are highlighted as the .getResponse() and .readfrom() classes in the following lines.
<code>
int webClientResponseStatus_tRESTClient_2 = webClient_tRESTClient_2.getResponse().getStatus();
if (webClientResponseStatus_tRESTClient_2 >= 300) {
throw new javax.ws.rs.WebApplicationException(webClient_tRESTClient_2.getResponse());
}
</code>
and in the following
<code>
if (!org.apache.cxf.common.util.StringUtils.isEmpty(contentLength)
It seems that it only applies if a CXF service is misconfigured, it is not a real-world vulnerability.
For vulnerabilities with CVE numbers CVE-2022-46363 and CVE-2022-46364, talend patch will be out by the end of this month tentatively as the 2023-01 release in talend subscription solution.
I’m afraid we do not supply patches for the Open Studio releases. We only provide patches for our subscription products.
With talend open studio, we will check it with our RD team to see if there is any mitigation instructions for existing products (talend open studio V 8.0) and will keep you posted as long as there is any information about the next release of Open Studio.
